Despite the recent commitment by the head of Java security that his team would fix bugs in the Java software, a researcher claims that a bug can still allow browser attacks.
The Java 7 Update 10 as well as the latest Update 11 let users decide which Java applets are allowed to run within their browsers. According to Oracle, users may control the level of security that will be used when running unsigned Java apps in a web browser.
Apart from being able to completely disable Java content
in the browser, four security levels can be
used for the configuration of unsigned Java applications:
- "Low" - Most unsigned Java apps in the browser will run without prompting
- "Medium" - Unsigned Java apps in the browser will run withoutprompting only if the Java version is considered secure.
- "High" - User will be prompted before any unsigned Java app runs in the browser.
- "Very High" - Unsigned (sandboxed) apps will not run.
But according to Adam Gowdiak, CEO of Security Explorations, none of the settings can stymie an attacker. He claims that in practice, it
is possible to execute an unsigned (and malicious) Java
code without a prompt corresponding to security settings
configured in Java Control Panel.
Gowdiak said that a 'Proof of Concept' code that illustrates Issue 53 had been executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings.
Gowdiak suggests that people turn to a browser with 'click-to-play,' a feature that forces users to explicitly authorize a plug-in's execution. Chrome and Firefox include support this feature.